Cost of fighting computer crime in NZ revealed
Tuesday 8 August 2006
Cost of fighting computer crime in New Zealand revealed for first time
- Otago University survey highlights lack of security training -
New Zealand organisations spend on average about half a million dollars annually fighting computer crime within their organisations, according to a new University of Otago survey.
The inaugural 2005 New Zealand Computer Crime and Security Survey, produced by the University’s Security Research Group, is the first survey of its kind to review information technology security in New Zealand.
The survey is based on the annual Computer Crime and Security Survey conducted by the United States-based Computer Security Institute (CSI) and the Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad, which aims to raise the level of security awareness and determine the scope of computer crime in the US.
The CSI/FBI survey has been running for the past 11 years. A similar survey has been conducted in Australia for the past six years by the Computer Emergency Response Team (AustCERT).
Until now, New Zealand has been reliant on the data from these surveys to guide its computer security responses.
The New Zealand survey, released this month, considered prevalence of security incidents, percentage of information technology department budget spent on security issues, use of cyber-security incident insurance, and intruder detection systems and other technologies, as well as popularity of workstation operating systems.
More than 200 organisations and government agencies responded to the survey (a 43% response rate). Of the respondents, more than 87% indicated they had experienced some form of security incident ranging from virus contamination or computer/laptop theft to abuse of email/net access, or illegal music/movie downloads.
KJ Spike Quinn of the University’s Security Research Group says the average financial cost of security incidents per organisation was around $452,000. Two-thirds of respondents believed aspects of security were inappropriately funded, he says.
“While most of the organisations reported they have at least some security technologies in place, not many organisations have staff with adequate training in IT security. Few organisations are prepared for preserving digital evidence of computer-related incidents,” says Mr Quinn.
This finding reinforces results from another study he completed last year which assessed IT managers on their knowledge of protecting a trail of electronic evidence for use in court.
“Most organisations did not have a forensic policy or realise the importance of it – it didn’t feature on their radar. The commercial and legal implications of this are huge. Knowing how to preserve digital evidence in a way that makes it admissible in court is crucial. The protection of data can mean the difference between a conviction and a case being thrown out in a court of law,” he says.
Mr Quinn is now finalising the 2006 New Zealand Computer Crime and Security Survey in collaboration with the Centre for Critical Infrastructure Protection, the New Zealand Police and CSI in the US.
The results from this second survey will be published on completion later this year. The 2007 results will be published next June to coincide with the release of the 2007 CSI/FBI and AustCERT results.
The full report of the 2005 New Zealand Computer Crime and Security Survey can be found at http://eprints.otago.ac.nz/342